Assembly Calling Convention: x64 __fastcall (Patreon)

Windows x64 __fastcall

• The first four arguments are passed in RCX, RDX, R8, R9
• Argument sizes up to QWORD are passed directly, anything else is passed by reference
• Return values up to QWORD are returned in RAX
• Registers RBX, RBP, RDI, RSI, RSP, R12, R13, R14, R15, and XMM6-XMM15 are restored (non-volatile)

Windows x64 Shadow Store

• All non-leaf functions — functions that call other functions — must allocate Shadow Store (Shadow Space) for the functions they call
• The shadow store is space that can be used by the callee to save the 4 arguments passed via the registers (4 args * 8 bytes = 32 bytes)
• The shadow store must be stored next to the caller return address
• The stack must be aligned to 16 bytes
• Arguments pushed on the stack are pushed after the shadow store

MSDN x64 calling convention documentation 

Practice Examples

Attached to this post is a copy of the HelloWorld PE file from our tutorial. You are encouraged to open this sample in IDA and identify the function calling conventions as well as the stack adjustment calculations.